[ previous ] [ next ] [ threads ]
 
 From:  Christoph Hanle <christoph dot hanle at leinpfad dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Ideas for 2nd LAN security
 Date:  Tue, 27 Dec 2005 17:58:08 +0100
Sean Waite schrieb:
> I am in the process of setting up a second LAN (Wireless) using m0n0wall to bridge them. The first
is the regular local LAN, the second
> being just an access point to connect to one specific webserver within the first LAN.
Why do you use bridging and not a second subnet with nat ?
> 
> I have done two different configs of m0n0wall, one allowing DNS and the other rejecting DNS.
Ideally with the secure config we want to
> be able to connect to this specific internal webserver only. At the moment we can only access
other computers on the first LAN by using
> the IP address. Same goes for accessing the internet.
I don't understand, why rejecting DNS should be more secure ?

> 
> Any ideas on how I could lock this down some more? One idea I had, since the WAN interface is
static, I could set the gateway to use
> just the internal website's IP address. But as for blocking the first LAN, I would have to block
whatever ports Windows uses for LAN
> communication which seems to be kind of difficult to narrow down. 
> 
> One option could be to just block all ports above 80, but for some reason that seems a little too
restrictive. 
> 
> Any ideas or thoughts would be appreciated.
may be this a solution:
first rule: WLAN to DNS-Server allow
second rule: WLAN to M0n0s WLAN-IP block and log
next rules: WLAN to Webserver allowed-Ports allow
next rule: WLAN to LAN deny all / log
(next rules: WLAN to 0.0.0.0 allowed-Ports allow)
last rule WLAN to 0.0.0.0 deny all / log

bye
Christoph

> 
> 
> Sean Waite
> 
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

-- 
last words:
"let's make the backup tomorrow"